If you control this from inside FM then they are already inside FM and there could be ways for them to break the logic. Like any other ersatz security schema that kicks in *after* the user is already authenticated.

Use External Authentication for this. AD for instance allows just that: restrictions on locations, times of day,... and those would kick in *before* the user gets into the system...